VPN with Multi-Domain Security Management
Overview
Branch offices need to connect with other branch offices. Partner sites also need to establish local and remote communication. Once connectivity has been established, the connections must be secure and have high levels of privacy, authentication, and integrity.
Only legitimate traffic must be allowed to enter a Domain internal network, and traffic must be inspected for potentially harmful content. Inside a Domain network, different levels of access must be defined so that sensitive data is only available to the right people.
Authentication Between Security Gateways
Before Security Gateways can exchange encryption keys and build VPN tunnels, they authenticate each other. Security Gateways authenticate sending one of these credential types:
- Certificates. Each Security Gateway presents a certificate which contains identifying information of the Security Gateway itself, and the public key, both of which are signed by the Domain Management Server trusted CA.
- Pre-shared secret. A pre-shared secret is shared a pair of Security Gateways. Each Security Gateway must prove that it knows the pre-shared secret. The pre-shared secret can be any combination of letters and numbers.
Certificates are the preferred means and considered more secure. The Domain Management Server Internal CA automatically gives a certificate to each Security Gateway it manages, so it is also more convenient to use this type of authentication.
VPN Connectivity
These trusted entities create VPN trust in a Multi-Domain Security Management deployment:
- Certificates issued by a Domain Management Server Internal Certificate Authority (ICA).
- External third party Certificate Authority servers (using OPSEC connectivity).
- Pre-shared secrets.
The Domain Management Server ICA issues certificates used by Domain Security Gateways to create SIC trust. The primary Multi-Domain Server issues certificates to authenticate administrators.
The procedure for establishing Global VPN Communities automates part of the step-by-step process of establishing Externally Managed Security Gateways for each Security Management Server and exchanging certificates manually.
Global VPN Communities
Sometimes Domains need to establish VPN between Security Gateways that are managed by different Domain Management Servers. This might happen, for example, in large enterprises that have created different Domain Management Servers to manage corporate networks in different cities or countries. Or, an MSP deployment may require communication between partners, managed as different Domains.
Cross-Domain VPN is handled by establishing Global VPN Communities. This community is similar to the regular VPN community with the exception that it can deal with Security Gateways managed by different Domain Management Servers. An administrator creates a VPN connection between Domain Security Gateways using the Domain Management Server SmartDashboard. A Global VPN Community however is defined at the Multi-Domain Security Management level, using SmartDomain Manager and Global SmartDashboard.
Multi-Domain Security Management utilizes its knowledge about different Domain network environments to ease the definition of VPN for environments run by different Domain Management Servers. In the standalone model, cross-Domain VPN is established by creating Security Gateways that are defined as externally managed Security Gateway objects. Then certificates and network information are imported into the Security Management Server databases.
In Multi-Domain Security Management, during the Global VPN Community setup, the Multi-Domain Server automatically exports relevant ICA information (such as the CA certificate) for each Domain Management Server, so that both sides can trust the other's ICA.
Security Gateway Global Names
You can configure an existing Domain Security Gateway as a global Security Gateway. This action imports the Security Gateway into the global policy database, making it accessible by all other Domain Management Servers in your deployment.
Different Domains may coincidentally contain Security Gateways using the same name. Each global Security Gateway object must have its own unique Global Name. To resolve this issue, the Global Names Template automatically assigns a unique name for each global Security Gateway. The default global name format is g< Security Gateway name>_of_<Domain name> .
For example:
- Security Gateway name = MyGateway
- Domain name = MyDomain
- Global name = gMyGateway_of_MyDomain
Changing the Global Name Template
You can change the format of names generated by the global name template. To do so:
- In the SmartDomain Manager, select from the menu.
- Select the tab.
- Enter a format string in the field. You can use the Variables button to insert variables for Security Gateway names and Domain names. The format string cannot contain spaces or special characters.
- Optionally, enter a suffix format. We recommend that the suffix be preceded by the underscore character.
|
Note - Make sure that your format string will always generate a unique name for global Security Gateways.
|
Global or Neighbor VPN Security Gateway
For Global VPN Communities, VPN tunnels are created between Security Gateways in neighboring Domains. This is analogous to externally managed VPN Security Gateways in a Security Management deployment.
A neighboring Security Gateway supports certificates issued by the other Domain CA. Both Security Gateways need to trust the other's CA.
VPN Domains in Global VPN
The administrator defines each Domain Security Gateway using SmartDashboard. When defining if the Security Gateway is a VPN Security Gateway, the administrator specifies whether the VPN Domain is to be based on the network's topology or a specific address range.
This type of network information is managed at the individual Domain network level. The information resides in the Domain Management Server Domain network information and is centralized in the Domain Management Server database. For VPN between a single Security Gateways, the VPN domain is flexible and can be defined by the Domain administrator.
Domain Management Server databases would have to maintain complete data on all other Domain networks, which could also be a security breach. Instead, Multi-Domain Security Management computes address ranges from those specified in VPN Security Gateway properties. It uses this list as the base for the VPN domain of a particular Security Gateway from another Domain network.
Access Control at the Network Boundary
Check Point Security Gateway provides secure access control through its granular understanding of all underlying services and applications traveling on the network. Stateful Inspection technology provides full application-layer awareness, and comprehensive access control for more than 150 pre-defined applications, services and protocols as well as the ability to specify and define custom services.
Stateful Inspection extracts state-related information required for security decisions from all application layers and maintains this information in dynamic state tables for evaluating subsequent connection attempts. Access Control and Global VPN Communities
Configuring Security Gateways for a Domain Global VPN Community does not create a de facto access control policy between the Security Gateways. The fact that two Security Gateways belong to the same VPN community does not mean the Security Gateways have access to each other.
The configuration of the Security Gateways into a Global VPN Community means that if these Security Gateways are allowed to communicate using an access control policy, then that communication is encrypted. Access control is configured in the security policy rule base.
Using the VPN column of the security policy rule base, it is possible to create access control rules that apply only to members of a VPN community, for example:
Source
|
Destination
|
VPN
|
Service
|
Action
|
Any
|
Any
|
Community_A
|
HTTP
|
Accept
|
If all conditions of the rule are met, the rule is matched and the connection allowed.
Access Control in Global VPN
Access control for global communities is the same as for a single Domain VPN community.
- If the Accept all encrypted connections setting is active, the applicable implied VPN rules appear in the Domain Management Server policy.
- The community shows in the VPN tab of a rule.
To learn more about access control for VPN communities, see the R77 VPN Administration Guide.
Joining a Security Gateway to a Global VPN Community
There are several steps necessary to join a Domain Security Gateway to a Global VPN Community. First, each Domain Security Gateway must be enabled for global use. Then a VPN Community must be defined in Global SmartDashboard, including the global Security Gateway objects representing participating Domain Security Gateways.
Lastly, a Global Policy must be assigned to participating Domains' Domain Management Servers, and installed on the Domain Security Gateway, for each Domain and Security Gateway participating in the VPN Community. All Security Gateways participating in the Global VPN Community must employ a Simplified VPN policy. The global policy itself may be either neutral or Simplified.
When assigning a global policy to one or more Domains, global objects are copied to the database of the Domain Management Server. Whether all the global objects in the database are copied, or only those related to the global policy, is configurable per Domain using the Domain Configuration window. Rules belonging to the global policy package being assigned are being added above and below the rules inside all local policies defined in that Domain Management Server database.
For more information about global policies, see Global Policy Management.
Considerations
When using the "install policy" command for Domain Management Server Security Gateways, they receive the latest Domain Management Server policy, including the most recent Global Policy. Changes may be made to a global policy, after which the global policy is reassigned to one of more Domains. When a Domain Management Server then installs the updated policy to the Domain Security Gateways, any modifications to global and local objects/ rules are updated on the selected Security Gateways.
The assign and install procedure are two different processes. The administrator can re-assign a global policy without installing a local policy to Domain Security Gateways.
During the re-assign operation, Security Gateways that participate in Global VPN Communities are provided the CA certificate for other Domains participating in the community. Certificates are automatically installed in the certificate database of the Domain Management Server assigned a global policy.
For each participating Domain, other than the Domain Management Server Domain, a global "CA Server" object is created in the Domain Management Server database, representing the certificate authority of the peer Domain. The existence of this object allows for authentication by 'Matching Criteria' to work. If by chance the certificate of the peer Domain has already been imported manually into the database, the 'Matching Criteria' references the existing certificate.
Configuring Global VPN Communities
Enabling a Domain Gateway to Join a Global VPN Community
You must close the Global SmartDashboard and SmartDashboard (if they are open in Read/Write mode), in order to perform the Enable for Global Use operation. If they are open in Read Only mode, they can remain open.
|
Note - Security Gateways enabled for global use do not show in the SmartDomain Manager under a Domain Management Server this is assigned to all global objects, with these exceptions:
- Global services always show if they are used in global rules
- Security Gateways show under a Domain Management Server that is part of a VPN Community or rules associated thereto.
|
Step 1 - In the SmartDomain Manager
Repeat this step for all Security Gateways that are to participate in the Global VPN Community.
- In the General View - Domain Contents Mode (or Network Objects Mode) right click a Domain Security Gateway and select Enable for Global Use (or Manage > Enable for Global Use). You will be required to provide a Global Name for the Security Gateway.
A global Security Gateway object and a VPN Domain object are created for the Domain Security Gateway in the Global Database.
- Enabling clusters: The user can enable a VPN cluster for global use in the same way that a Domain Security Gateway is enabled. The cluster is exported to the Global Policy as a global Security Gateway object.
Step 2 - In Global SmartDashboard
- Define a Global Site-to-Site VPN Community.
- Add the global Security Gateway objects, defined in step 1, as participating Security Gateways in this community.
- Define global rules as needed for the new Global VPN Community, the global Security Gateway objects, and the External Domains.
Step 3 - In the SmartDomain Manager
In the Global Policies View, assign and install the Global Policy to Domains and selected Domain Security Gateways. The Global Policies View has two modes which allow slightly different activities, the Security Policies Mode and the VPN Communities Mode.
Different SmartDomain Manager views allow you to perform this step in slightly different ways. You can assign the policy to one Domain at a time, for greater load management. Or you can assign the policy to all the Domains at once, if load management is not an issue.
To assign to one Domain at a time
Through the Security Policies Mode, select a global policy. Then choose Reassign/Install Global Policy... from the Manage menu, or right-click the Domain and select Reassign/Install Global Policy.... Select the Domain Security Gateways to which the policy should be installed. The policy is assigned to the Domain Management Server database, then to the selected Domain Security Gateways.
or
Use the VPN Communities Mode, but the procedure is much the same. Right click a Domain, then select Reassign/Install Global Policy... from the Manage menu, or select Reassign/Install Global Policy... from the mouse menu.
To assign to many Domains at one time
The procedure is through the Security Policies Mode, similar to the above. Select a Global Policy and right click, then select Manage > Assign/Install Global Policy or Reassign/Install Global Policy..., or right-click and select Assign/Install Global Policy...
This operation assigns the Policy to all selected Domains, and then installs the Policy to all Domain Security Gateways, in one step. It does not allow you to select specific Security Gateways to which to install the Policy. If chosen, the Policy will be installed to all of the Security Gateways for the selected Domains. Assigning the Policy to many Domains and all their Security Gateways may take some time. Use this option with caution.
You can now create security rules regarding VPN using SmartDashboard for a Domain Management Server. Security Gateways which are external to a Domain but are part of the Global VPN Community, will appear as global externally managed Security Gateway objects in the Domain Management Server SmartDashboard.
The Domain own participating Security Gateways will appear as they usually do. It is not necessary to define authentication for the external global Security Gateway objects. Matching criteria are automatically defined for the global Security Gateway objects referring to the other Domain Management Server Certificate Authority.
A Domain can be assigned a Global Policy which references a Global VPN Community, in which, however, none of the Domain Security Gateways participate. If this happens, the Domain Management Server database will have an empty community (without community members).
|